SQL Server: Determine domain user when using service account

Question

I want to set my applications to connect to SQL server using a service account, rather than pass through domain user credentials. With pass through, it's necessary to grant specific users read/write access to the database, which I consider a security hole.

My question is, if I establish a connection to SQL server using servic account credentials, is it still possible to identify the actual user who originated the request? For example, John Smith, a domain user, visits a website and performs some action. A connection to the database is established with the security credentials of some service account, however johh smith's name is still passed through to SQL server. SQL would use this person's name in some way - e.g. store it in an audit table, etc.

Can this be done? Is it best practice, considering that I need to get the original user's name into SQL server some way or another?

Answer 1

If the user logs to SQL Server using a SQL Server login is impossible to know who he is (on a domain level) by the SQL Login.

however johh smith's name is still passed through to SQL server

Yes, what you can do is somehow capture the AD user name using User.Identity.Name and then send it to SQL Server on a audit table you manually created yourself